Ramblings about security, rants about insecurity, occasional notes about reverse engineering, and of course, musings about malware. What more could you ask for?

Friday, February 3, 2017

Why you should care about CVE-2017-0016 (new SMBv3 0-day)

I've seen a few people talking on social media about how CVE-2017-0016 is just not a big deal. They correctly point out that it can't trigger Remote Code Execution (RCE) and can only be used for Denial of Service (DoS). Both of these are correct. More than a few people have made the mistake of saying something to the effect of "if you have SMB listening on the Internet, you have all sorts of other problems."

But those making the latter statement don't understand the vulnerability. Unlike many previous SMB vulnerabilities like MS-08-067 (used by Conficker) that would require a host to be listening on SMB ports (TCP 139 and TCP 445) to be exploited, this vulnerability requires that the vulnerable host be able to talk to an attacker on these ports. So SMB need not be exposed to the Internet in a traditional sense for a host to be exploited. If an attacker can get a user (or an automated process) to visit a malicious link over SMB, the exploit will be successful and the machine will crash.

What do you need to do?
Microsoft has not yet made a patch available. However, there is a publicly available PoC script so attackers can cause mischief today with no work on their part. You need to ensure that your networks don't allow TCP 139 or TCP 445 outbound. Due to the SMB worms of the past, most residential ISPs block TCP 139 and TCP 445. Most business ISP connections do not.

There are tons of reasons to not allow TCP 139 and TCP 445 outbound. They are too numerous to mention here and there's no reason to repeat them here. If you want to test your network, I set up a test before Badlock last year. The instructions for running it are here. You really should make sure you block SMB outbound from your network, anything less is a ticking time bomb. When we audit small business networks at Rendition Infosec, we see SMB allowed outbound with a surprising regularity.